And he was hoping I could tell him "who" was doing it based on the Caller Logon ID. I figured I would just send him a link explaining what the caller logon ID was and that in this case it wasn’t going to give him any info but I couldn’t find any good links out on the web talking about what the Caller Logon ID value even is. I saw a lot of questions around it and a lot of people completely ignoring the question so I responded to him and decided I should write a quick blog entry on how to sort this out.

The Caller Logon ID in the event log is basically a logon session ID on the local computer. This will allow you to chase down the user SID, authentication package, logon type, logon server, and when the user logged on and if you are really interested, the processes running in that logon session. This information can be extracted with some pretty simple code using

As to why that doesn’t help us here is that I happen to recognize the logon session ID of 0x0,0x3E7 because that, to my knowledge, has always been the first logon session (Session ID 0 if you enable viewing of Session IDs in TaskMan) which belongs to the local computer. So that just further tells you that it really is LocalSystem (NT AUTHORITY\SYSTEM) that is the ID that is making the change. Now if you want you can tell logonsessions to dump the processes running under the logon session with -p but that usually isn’t all that useful for that session because you will often see a bunch of svchost processes which really doesn’t help.